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P/6400KGBA 

A secure coHiimmication method 

Jxk summaiy the main invention is related to a secure email solution, 

1. Tlie concept of an tn-KEM. This is a method which takes as input a set of 
public keys and then produces a session key plus an encapsulation 
(encryption) of that session key under ail the public keys* The method 
comes with an associated decapsulation method which allows any body who 
knows the secret key associated wi& any of the public iceys to recover the 
session key fiom the encapsulation. 

a. An Instantiation of the above by naively concatemating enciyptions 
of the session key together. 

b« An efficient instantiation of the above using a varUmt of the ElGamal 
enciyption scheme* 

2. The concept of an m-ID encryption scheme. This takes as input a set of 
identitiBs and allows flie enciyplion of an aifoitrairy messs^ to one of these 
identities^ such that any user wMi the associated private loey fi>T any of the 
identities is able to deciypt the message. 

a* An efficient instantiation of an m-ID encryption scheme using an 
adaption of the Bcmeh-FrankUn emryption scheme based on pidrings 
on elliptic curves. 

3. The concept of an ]D-m-KEM. This is like the above m-KBM except that 
now Ifae public keys are replaced with simpfo identity strings- Thus allowing 
the use of an m-KEM in the identity based setting as well as the public key 
setting. 

a. An effidlent instantiation of an ID-m-KEM using the m-lD 
enciyption scheme^ 

4. The concept of using the txansfbrm s ^ s+l/s so as to remove the need for 
transmitting y*-coozdinatc5 or using point compression m schemes liased on 
pairings. Such schemes would include the BcnehrFranklin TD^^ased 
enciyption scheme, the BLS signature scheme, the Hess ID-based signature 
scheme plus ttie m^-ID and lD-m-K£M mentioned above. 

5. The concept of adding trust authority k^ys together so as to create 
interseciing domains of trust in an ID-based infiastructure. 

Clearly the above ideas can be applied to any system which wishes to enable secure 
messeges being sent and is not just restricted to the email environment. 
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m-KEM's and ID-m-KBM's 



Abstifflcfc. We preserrt the notiOco of an m-KBM, whwh is a Key l^cap- 
sidatian MecJaamBm (KEM) which takes multiple pubBc kegrs as ii^t. 
TWe has applicBtiona where one wishes to encrypt a single hwge doc- 
ument to a set of raompte xecii»eiits, aa whca one sends an enCTypted 
email to more thaa one person. We presenta aecuiity mod** and show 
that the nahre approach to deSntog aa i^-KEM >s secure m 
We fflo oa to orient a more effiden* construction of an to-KBM. 
iSally wetnm to identtty based vari^ 

atruotion, based oa. paixine^, whidl» is significantly more ^eiant tt^aa 
the naive ^ipBcakion of the Baneh-Eranklin sdieme apphed a nwltaple 
xuimber of lamsst 

1 Inofcrodiiction 

Public isy cryptosraphy has been traditioiially concerned witli two parties com.. 
^^^S^IftT traditional scenario one party, Alice, wishes to ax^rc.^,^ 
^^^^th one other party,Bob. AUce obtains Bob's authentic public key aad 
SrS^X dataSe^dBhes to send to Bob. Bob. knowing the assoc^ted 
^T^is aWe to deciypt the c^h^ to obtain AUce's message. Smce 
^^k^algorithnis aie very aiow, if Alice wishes to send a large amoM* cf 
S^l^SSI^aper^a^^etrlc Wonkes^ toB^umngB^s 

^^Ly aJgorSi and then encrypts the actual diita using a fest wymm^ 

Spher fcj^redby the session key- Such a combination of pubho key and symmetric 

teAniques is called a hybrid encayption algorrthin. 

hybrid tediniqae has been strengthened m recent yeais with the use ot 

the KEmSjEM philosophy, see (61 and m. In this W^'^^^i^S?^^ 5?*?^; 

^ defines a b^<^ data encapsulation niechakrism (DEM) which takes a 

lasy K and a message M and computes 

C *- DBMk{M). 

Given knowledge of one can also recover M via 
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Tb transport the key X to the reciFieat of the dphectext the sender uses a 
encapsulation mechanism (KEM). This is an algorithm which takes as input a 
public bey pk and outputs a session kssy K plus an encapsulation E of this a^sion 
key under the public key. 

Notice, that the session key is not used as input to the KEM. The recipient 
recoveis the k^ K iisiiig bis private hey sk via the decapsulation mechanism 

The ftdl ci{Jaterte3df of the message M to tfaaa Qt^ea by 

E\\0. 

The use of the KEM-DEM philosophy allows the different components of a hybrid 
encryption scheme to be designed in isolation, leading to a simple azudysis and 
hopefully more efficient schemes. 

However^ as soon as one moves away firom the traditional two-party setting 
problems occur. Suppose AHce now ^ndshes to send a lais^ file to two partiffi 
(say Bob and Charlie), for escample she may wish to encrypt an email to Bob 
and Chariie, or encrypt a file on her system such that either Bob ac CharUe can 
decrypt it. Erom ones own ^q>erxence one notices that very few emails are sent 
to a srogle redpient, hence such a one-to-many naodel is clearly of importance. 

A number of possible sohrtions exist to this problem. All of which have dis- 
advantage In the first n^ve solution one simply encrypts the data twice, once 
fox Bob and once for Charlie, using their respective public key schemes. This 
is clearly wastefol espedally if the data to be encryptcMi is large. A more effi- 
ci^t solution would be to encrypt the data once with a symmetric enci3nption 
key K and then encrypt this key under Bob and Charlie's public keys? i-o> the 
ciphertext would look like 

Whil^ this is probably sufficiestst for two users, this can become very expenidve 
for a large number of users. 

In addition it is um^ar what securi^ model one is using Ibr sudti a scheme. 
The work of BeUace^ Boldyreva and Micali [2] looks at the security of encryption 
schemes in the presence of many users but did not consider tiie &Gt that a 
"dipherfcext^ could correspond to different users. In theSr model the abowe hybrid 
encryption to two parties would be consklered as two encryptions, whereas we 
wish tp treat it as a single enoryptlon. 

The use of the KEM-DBM pbHosoplQ^ in such a situation is also not applica- 
ble. After an the KEM produces the session k^, henoe application of a KEM for 
two users would iresult in two different session ke3^s- What is required is a KEM 
like construction which t^kes as input n public keys and outputs a session h&y 
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aod an encapsulation of that session key under eaiA of the input public keys. 
We wotald like such a mnltilple KBM (or nt-KEM) which is more effielent than 
the above concatenation of pubUc key encryptions of a seOTion fc^. 

In this paper we propose such m-KEMs and propose a security model that 
thqr should possess. TVfe show that the above naive con<^ternation method is 
secure in this model, although ineffidient. We then present a public key m-KEM 
based on the Diffie-Hellman problem which is more eflMent than repeated en- 
cryption of a session usixig an analogous traditional public key system- 

In addition we present ID based variants of our ideas- The use of identity 
bajsed encryption has become of interest ance the ground breaMng work of Boneh 
and ErankHn [3]- We present an ID based m-KEM which is much more efficdent 
for encryptfaig to a large number of identities than repeated use of the Boneh- 
BVanklin scheme for encrypting a srasion k^. Our construrtion makes use of the 
Bonehr-Rranklin scheme but also uses a special case of the construction of Smart 
[8] for encrypting to arbitraiy potides. 

2 Notatkm 

We let 4^ t« for vsiiables v and u to denote assignmeoi;. fbr a set S we let 
V 4— 5 denote the variable v bemg aamgned the set 5 aod v 5 to denote v 
being assigned an et^nent of the set S chosen urfiformly at random. 

If A is a, possible probabilistic, algorithm then A denotes v being 
signed the output of algorithm A with the probabilify distributkm induced hy 
A's input and internal random choice. If we wish to mate escplidt precisely what 
value r is used aa the randonmess in a probabilistic algprithm A{x) with input 
X we write A(x; r). 

A function / is said to be ne^igible if for all poljmomials p there exists a 
constant Np such that /(x) < for all « > Np. 

3 Security of a KEM 

A KBM (k^ encapsulation mechanism) is a public k^ scheme which allows a 
sender to generate an encryption of a random session key, and allows the holder 
of the correct private to recover the sesmon key fix>m the ciphertext. We let 
D denote a set of ^rfcr>>AiTi parameters which oould consist of only the security 
parameter written in unary 1*^, or could consist of a pubUc group and genieratar 
as in ElGamal systemB. 

More formally we define a KEM is a triple of algorithms: 

— Skbj^(P) which is a probabilistic key generation algorithm. On input of D 
this algorithm outputs a public/private b^ pair (pk, sk), 

— ^KBJVf (pk) wMdh is a probabilistic encapsulation algorithm. On input of a 
public key pk this algorithm outputs an encapsulated key-pair (if, C7), where 
X G K is the session key and C is an encapsulation of the key K under the 
public hsy pk. In other words C is a ciphertex± of the message We assume 
that the space K of all keys output by £^ are of some&ced length. 
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T^KBMiOj^y^) which IS a decapsulation algorithm. This takes as input aa 
encapsulation C and a pxivate lo^ sk and outputs a JiT or a fecial 
sTmbol JL representizig the case where C7 is an invalid encapsulation vrith 
r^pect to the prtvate losy dk. 

Fbr sudi a scheoke to be useful we require that it is sound in the follawing sense. 

Security of a KEM is defined in the foUosnring way. We asnune an adversary A 
whidh runs in two stages. In the first sfcage it is allowed to produce encapsulations 
and (depending on the precise security definition we require) it snay be allowed 
acce» to .a decapauiation oracle on encapsulations of its choosing^ At the end of 
this stage it returns some state inforznatioa* 

Tn the second stagie it is provided with a challenge encai^nlation , its state 
infonnstion from the first stage plus two keys Ko and Ki. The adversaries goal 
in the second stage is to decide whicii key Kb is encapsulated by C In this second 
stage it magr abo have access to an drcapsnlation orade^ but if it does it is not 
allowed to request the decapsulation of the challenge C** 

Consider the folk>wing gajooe play^ with such an adversary: 

6 ^{0,1}. 

Output whether b = 6', 

The adversary is said to win the game if 6^ The advanta^ of an adversary 
is defined to be 

Adv^ « jPr(fr = if) 1/2|. 

Ji the maadmuxn advantage over all pos^ble adversaries «4. is a n^Iigible function 
of the security paraxneter k then we say that the KEM is IND-xxx seoutre, where 
X70C denotes what access A is allowed to a decapsulation oracle. If ^ is not 
allowed any access to sudii an orade then we say the sdseme is INI>-CPA secure, 
if it is only allowed access duriE^ stage one then we say the scheme is IND-CC Al 
secure and if it is allowed access m both stages (aubj^^t to the earlier restriction 
on requesting the decacffiulation of C^) then we ssgr the scheme is IND-CCA2 
secure. 

A KEM needs to be used with a DEM (data encapsulation mechanism) to 
provide a Iqrbrid encryption algorithm. A DEM & a symmetric encryption al- 
gorithm which tabes a sjnoometric key k and a mrasage (reap, ciphert^) and 
provides the coxrespondiog ciphertext (resp. message). Security definitions can 
be provided for such DEMs, which are independent of the securi^iy definition of 
the associated KEM. The combined KEM-DEM encryption scheme is said to be 
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secure in the standard IND-CGA2 sense (for a pubHc fc^ encryption scheme) i£ 
the DEM is secure and the KEM is secure in the IND-CGA2 sense above. H^ce» 
the s^bI is to define KEM^s wMdh are INIXJCA2 secure. 



4 m-KBMs and ID-m-KEMs 

We now extend the notion of KEM to deal vdih the case where one wants to 
encrypt a large amount of data to multiple people, say n people. In such a sit- 
uation it mokes sense to apply the DEM once and so one requires a mechanism 
which creates the symmetric bey for the DEM and an encapsulation which ctl- 
capsulates the key to many parties at onoe. We call such a SQ^stem an m-KEEM 
for "'multiple KEM". 

We also intioduce the notion of an ID-KEM and an ED-m-KEM which are 
the analogous definitions in an ID-based settiixg, as opposed to a traditional 
public key setting. In the fononraiig sect] and provide 

^appropriate security definitions* 



4.1 xor^KEMs 

Note, a trivial solution would be to generate a session key K for the DEM 
and then encrypt this to the varions intended receivers by encrypting uang 
an IND-CCA2 public k^ encryption algorithm. This would produce n distinct 
dphertejcts ci, . »c^, eadi encrypting K Sdt n dlffisrent users. We would then 
define the Icey encapsulation as 

Our goal however is to do this in a more effi^ent manner, where one measiu'es 
effici^uy either in terms of computing resomrcs or in terms of l^qgth of the 
resulting encapsulation C. 

Note, in the above trivial s^rstem one would need to epecSfy which dphertext 
compom^t Ci c^orresponded to wtdch user ttf. Hence, the cipherteact should actur 
ally contain some infbrmatk>n si>ecifying which dyph^rtext corzesponds to whicdi 
user, Le. we need to have something like * 

C = «l||ci||tt2||C3 • • - llUtt||<Vi. 

In our future discussion we shall drop this explicit reference to wliich users 
which component corresponds to. Instead we shall pa^ the list of recnpient^ to 
the decryption function as an optional additional parameter. 

Just as for a KEM, we define an m-KEM formally as a triple of algoritlmiSi 
{9mKBM^ SmKJEMi ^mKBu)^ ^ adapting the earfier definition, we have 

— QntKBMiP) which is a probabilistic key generation algorithm. On input of 
B, the domain parameters, this algorithm outputs a public/private key pair 
(li, Bfc). 
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SmKBi^dP) 'which is a probabilistic encapsulatioa algorithxa* On input of a 
set of public key V = {pi^i - * • >F^) algorithm outputs au encapsulated 
1^-pair {Kj (7), where JBf € K is the session ki^ and C is an encapsulation 
of the key K under the public keys {pk^, . - . >PKx)' 
" ^^KBM V) whldb. is a decapsulation algorithm. This takes as input an 

encapsulation C and a private key ek, plus optionally the set of all recipiCTLte 
and outputs a key IT or a special symbol JL representing the case where 
C is an invalid encapsulation witii respect to the private sk. 

Soundness is now defined as follo\Km. 

((pki, skj) Qn^KEM (B)Vi e {1, . . . , n} \ 
{K,0 ^fmKJBJl^({pkj,.-.,pk^}), J 1. 

i ^ {1, • . . , n} : if == T>n^BM iO, sk, ) J 

Security of an m-KEM is defined in a similar manner to a KEM via the following 
game* 

(pk^» 9k<) ^ G^KBM^P^y^i G {1, . • . ,n}. 
7^^{pki,...,pk„} 

{fi,7>} where 7> C and m « #P ^ n. 

Output whether h — V. 

Notice in stage one the adversary pidss a set V oi public keys on which it wants 
to be cfaaJIenged on. One needs to be caxefiU about the oracle access to the 
decapsulation aradb. lb see why oonsider our earlier trivisd mKEM with two 
parties, the dballepge is ^cven hy 

H ow ev e r, using a traditional CCA2 definition of secarity an adversary could 
produce the encapsulation 

C = ci 

and ask the decapsulation oracle to return the associated private key. Since 
G^C^ this is a\ra]id oracle quecy, wMch would result in the advexsaEy breaking 
the system. 

Hcywever, we feel such an oracle query is too stringent for our purpose. We 
therefore restrict decapsulation oracle queries in the second stage to be only 
allowed if the resultiBg k^r is different firom the k^ encapsulated by C7*. Such 
a restricted oracle access is used in other works to deal with the public key 
encryption algorithms which sufiar firom benign malleability. 

We say an m-KEM is (m,n)-IND-CCA2 secure, for an integers n and m with 
m < n, if the advantage of the adversary winning the above game is negligible 
as a function of k* We assume the adversary is allowed access to decapsulation 
oracle queries in both stages, subject to the above restriction on 
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4,2 ID-mrKBMs 

We now turn to providing a definitioii for an ID-based m-KEM- A definitioii for 
an ID based ^uivalenfc of a KBM (l.e. ^th respect to a single identity) follows 
ftom the general definition by taking the nmnber of identities equal to one- Hence 
^ shall not discuss ID-KBMs farthear and shall concentrate on the more general 
JD-nirKEMs. 

An ID based crypto^tem, such as that of Boneh and BVanklin [81 or Cocks 
[4], is based on a trust authorily who generates a single public/private key pair 
at setup for themselves. Usears pubHc kqys are then ©Iven by a deterministic 
function of thdr identities, the associated private key th^ obtain from the trust 
authorily by means of a so-caBed retraction query. 

We therefore define a identrby based multip^ formally 
as a quartet of algoriUnns (g, ,1>) as before where, adaplang the earlier 
definiticmst we have 

— QiD'-mKSMiP) wMcih is a probalnl^ic key generaHon aLgoxitlmi for the 
trust authority On input of©, the domain parameters, this algorithm out- 
puts a imblic/private key pair (pis, sk). 

— ;K/z>-^irjBM(ID,s^) is thetrustauthoiitks key extracts 

as ingptit the trust authoiiti^ private ^ ek and an idexAlty string ID and 
outputs tlie associated secret k^ ^ID- 

— SiD^TnKJSMi^iP^) which is a probabilistic encapsulation algorithm. On in^ 
put of a set of identities Z={IDi,,--,IDn) a^i the trust authorities pub- 
lic key pk, this algorithm outputs an encapsulated key-pair (K^C), wb^e 

€ K is the session key and C is an encapsulation of the k^ K under the 
identities {iDi, . . . , XDn)- 

— ^TD-'fnKBMiOj SjQf pk, 2) whidDL is a decapsulatioa algoritimi. This takes as 
input an encapsulation C, a private key Sjj) and the trust authority public 
key pk, plus optionally the set of all redpients It then outputs a key «: 
a special symbol ± representing the case where £7 is an invalid encapsulation 
with reject to the private k^ iSju). 

Soxmdness is now defined as follows. 



Pr 



/ Cpk, Sk) GlD^KBlid(P)f 

S'iDi ^ ATjo-mic^M (Ii>4> sk)Vi 6 . • 
(K,C) *-^ii>-mJrBAf({lDi,--.,IDn},pk), I =1. 



Security is now defined with respect to the following game: 
^s,V} (7^), where P C and m =r #p < ». 
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Except nowj for fall (m, n)-ID-INI>-CCA2 security, we allow the adveacsaiy .A 
not only access to a decapsulatioii oracle, we also allow access to a seorefc key 
extraction oracle that will output the Icey jSjq for any querie^i identity XD. These 
oracles accesses are subject to the foOowing provisos 

— In the second sta^ it- cannot ask for the decapsnlatkm of axQr encapsulation 
C which would result in the same key K as tlmt encapsulated by C^. Hencei 
we allow benign fonoos of malleability. 

If ID is qiKried to Xio^^mKBM in the first stage tiien ID ^ P. 

— If ID € 7^ then the oradte Xxxt^fnKBM <nsy not be queiied with ID in the 
second stage. 



P-12 



5 Constructdons of m-KBMs 

' We start tins section by ^ving a generic constraction which miirois the nmve 
construction of the intnroduction./ Then we go on to provide a snore eflS^cdent 
oonatrucfeion based on the ElGamal encryption function. 



&.1 A Generic Constriictloii 

We let (l5,^»2>) denote a public faey encryption algorithm which is IND-CCA2 
secure. We de£bie a KEM fix>m (j?,£,X>) as follows, where jM is the message 
space and Tl is the space of randonuiess used by £, 

Output (pk| 8k)« 

^inJCaSTAf ({pki , - - - , plCn})= 2>mJrjBAf (C?, 8k«); 

m^M. Parse C as (ci,..,,Ctt). 

rii^Ttforalli. nh^tXfii,^). 

a ^ £(m,pki;ri) for aU If m =J- then output ± and halt. 

K ^ KDJF{m). ^ KDFijny 

C^{ai,...,Cn). Output iC- 

Output (K^cy 

Later we shall show 

Theorem 1« Jf{Si 2>) is IND^CCAS secnre as a public key encryption scheme 
and n grmos as a pokpunnitdfkAncUon of the security paanameier tbeiz the m-KEM 
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6^ An efficaeni BlGamal based m-KEM 

We now present an efficient m-KEM based on the ElGamal encryption algoritbm 
for a group G of prime order g w 2* with generator g. W« let © = {g, g, G} d«iote 
the domain parameters of the scheme, ElGamal is th«i given hy the triple of 

gQOt): f(TO,i>k;r): l?((ct,Ca),sk): 

pi <_ ca *-m plsr- Output m. 

Output ik, sic). ''a^- 

This is OW-CPA secure assuming the Diffie-Hellmaa problem for the group 
G is hard. Hence, the KBM derived from ElGamal by Dent's construction, see 
Appendix A, is D5D-CCA2 secure. 

We now derive an in>KEM from KGamal by letting the key generation fianc- 
tion be as in standard ElGamal. Wc then deBne encapsoilatiaoa and decapsulation 
via 

Parse (7 as (cb,ci,. ..yCn). 
*~ ' ^ If 5^ the output ± and halt. 

-kzic^-' g^r-'- 

O-Cca c»). OutjmtK. 

Output {K^C)' 

Later we shaill prove 

Tbeeoirem 2. if n atwds as a polynomiaX fancticm cf tiie security/ parameter k 
and ihe Diffie-Hdhnan problem mGia hard then, in the random oracle the above 
mnKEM is secaire, fi>r n, users, m «fce «eiwc <!f (m,n)-lND-CCAS for m^KEMs 
for aUm<n. 

6 An ID>m-K£M 

In tins section we present an ID-m-KEM which, when combined with a suitable 
BEM, is more ^dent at ©acryptbag a large messes to a large numb^ of idenid- 
ties than repeated application of the Boneh-SVonldin ID-I!Sn>-COA2 [3] scheme 
to the DBMS session k&y. 

However, before presenting the ID-m-KKM ha fiill we first present an ID- 
based encryption sdxeme wlndi encrypts to n-participants at once. We call such 
a scheme an xa-lD encryption scheme. The following scheme wll form the basis 
of our ID-m-KEM and is derived fiwMu the more general system described in [8] , 
where the nnderlyhig ideas were used in the conteact of ^aryptographic wisricflow'* . 



Our Bcheme is based on the Boneh-Rranklin system. We vnO. assiane ^ h we 
a cycfic Bubgrcmp Gx of prinie order « 2^^ of an dliptic curve and a subgroup Ga 
of a finite field such that there is a computable non-degenerate bilinear paanng 

tzGiX-Gi — * G3. 

We write the group operation additivdy in Gx and multipficatively in and 
let P denote a generator of G»i. We let the domaitt parameters be giv«i by 

We shatt assume that in liiis setting the Bilinear Diffie-Heahnaa problem 
(BDH) is hard. This means that givea P,<tP^bP,cP, for P € Gi and a,6,c € F,, 
it is hard to compute t(P, P)»** e Ga- 

We need to ddane some cryptographic hash fonctums 

Ho ewwry identity ID asawaate the pomt Qid ^ 

QlI» = Hi(ID). 

The point Qjo is the public key associated with the; identHy ID. •Hie m-ID 
encryption scheme is then given hy the foUowfaig set of algorithms. 

- Qm-ID{^) *he probabilistic key generation algorithm for the trust authority. 

- X„^ loCnt, sk) is the trust authorities key extraction algorithm. 

- 2r iMWi; r) which is a probabilisttc encryption algorithm which taJres 
as a message m (of I bits in Irogth), n-identities X =^{iPi. • • - » I^n}, the 
tnist authority public Iray H and the randomneffi r e Kf. 

- 'D^-iDCc,STa ,«) Tfbich is a deciyptlon algorithm. This takes as mput a 
c^hertoct c!"a privale key S-u,, aad the trust authorities R and outpnta 
the message m. 

«™. 5n)*-sk0lD- 
^Z7^skP. Output 5ii>. 

Output (plc,3lc). 

ti +- t(i7, oii>,). 



Ti - Qn>.,, - QiD. for » < n. If i = 1 then IT H^{tr). 

Ui^7<rif<yTi<n. If $ 9^1 then 

Output c = (a,J7i,. ..,J/„_i, V). m — li^ ® 

Output m. 



SS Oct. 03 14:89 



George MoGowan 



□1823 311 SOS 



Note La the case whete n = 1 this becomes Gae scfheme Basicldsnt of [3|. We 
define OW-security for an m-ID sdtieDoe encrypftaon scheme in the obvious way. 
Wfe say such a scheme is n-OW s«nure if ui the seroiul stage the adversaiy is 
passed » ciphatext encrypted to at most m identitaffi. Qeariy the above scheme 
is 1-OW secnie ^ce Basicldeni: is secure by Theorem 4.1 of [3] a ssi iTnlng the 
BDH problem is hard. We conjecture that the above sch^e is n-OW eecaie fior 
all n as n. grows as a polyaomlai function of the security parameter. 

Using the above m-ID enciyptlon scheme we define ooor ID-m-K^ as fdUows: 
The trust airthodty generation gjo-mfCBM and Ixy extraxrtlon algorithms 
Xio-^KBM are as and X above. The CTtcapsulation medbaiusm then maJses 
use of the analogue of Dent's oonstrodaon, see Appendix A. 



r 1- jff(m). 
Output iK.O). 



m ■«- 2>m-/i>(C, 5n>,, jR). 
r *- Him), 

Paree C7 as (t7, t/i, ... , t/»»-i, V) 
UUi^rP then output JL and halt. 
K *- KDFim). 
Output K. ■ 



Later we shall prove the fcdlowing theorem 

Theorem S. Jf n grtms as a poiynomial fimction of Ihe securUy parameier k 

then, mlherrmdomotxtcle model the abeweW-Ttt^KJm is seeum 

restricted {l,nyiD-IND'CCA2 for m-m-KSMsr aaauvoAng the BDH assumption 

holds. 

We canjectme that the above ID-nt-KEM is in £act (m, »)-ID-INI>-CCA2 secure 
fixT all m ^ n, but have been unalde to piove thK. 



7 Bfficieni^ Comparison 

We first compare our ElGamal based m-KEM firar n users against naive ooncate- 
natkm of n ElGamal ciphertexts together- We let EG{n) denote a IN0-OCA2 
VCTsion of ElGamal (sudi as EC-IES/DH-IBS [1]) appUed np-times to encrypt a 
session fcey. We let EGxEMin) denote the ElGamal based m-KEM desoibed in 
Section S.2 applied to n public keys. We compare the number of group exponen- 
tiations pofbaraied in the SaSkofmug table: 







EG{n) 


Encapsulation 
Deca^^vilation 


2 


1 



Hence we see that our method is more eflBbcient than simply concatenating n- 
ElGamal cdphertexta together. M addition our mediod only requires the tran»' 
mission of n+ 1 group elements as qpptmed to 2n group elaoients for the naive 
method. 



We now compare our construction of an ID-m-KEM to that d applying the 
ID-IND-CCA2 BondHRrankHn ID encryption Unction a number of tixnes as to 
cnciypt a session i«y. We suppose \re wish to transmit a large message to n 
redpients, we ignore the number of additions in Gi and nmltiplica*ions m G2 
since these are negligible in compaiison to the nnmber of pairing cDmputations 
(j>) or group eoqponentiatiiiHiB (£!). 





ID-m-KBM 


ID-IND-CCA2 


Eincapsulation 
Decapsulation 


2P + 1E 


nP+2nE 



BOence, one can see that our methodctlogy is mudi more eflacaent from the sender's 
perspective. 



8 Additional IlX-based Tecbniqaes 

In this section we describe additional tedndques whidi alkw wious impzove- 
menls In the idenHty based setting. 



8.1 Point CompresEdon 

In pairing based systenjs we need to transnut various elliptic curve points, e.g. 
the trust authorities k^jr A or a con^Mment of the cipberteoEt CT or l/j. Eadi pom* 
P oonsasts of an x and v coordinate, but eadi x coordinate can only ^ve rise 
to at moat two y coordinates. A standard way of redurang bandwidth in ellqitic 
curve based systems is to transmit x phis a single Int stalang whicii value of y 
to take. 

However, in pairing based systems we have another possibility. We can simply 
transndt the x and leave the reciever to decide for themselves which value of y 
to take. Dug to the elliptic curve group law the recievers and senders value of P 
wiD difiear hgr at most a change in sign* 

At some point in a pairing based protocol one evaluates a pairing at two points, 
if one (or both) of the points are only determined up to si^ then the evaluation 
will be determined up to inverse i-e. 

This ambigtuty can be removed by taking 

Z=8+ —. 

S 

Hence in the above ID-based protoools one would apply Hz to z rather than 3. 
Such a lemaric applies to both the above m-ID scheme and ID-m-KBM, it also 
applies to the Bondir-ErankEn scheme [3} and it can be adapted to work with 
the various signature schemes (both traditional and ID based) whicdi are based 
on pairings that can be found in Ito literature. 
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SJ2 JuteiTsectixig Domains 

In the above m-mrKBMs and in theBoneh-FteDklin ID-based encryption scbeme 
oae uses the trust authorttiea pubEc key to define a <»rtaindoiniun of trust. Be- 
caU tbis public is ^ven by 

where sk is the secret Isey of the trust authority and P is some fixed piibUc point. 
The trust authoiity is resiponsibte for provicMng users with their sea»t keys, and 
as such it voudies for the identity of each user. 

In -various situations one can rmagiiie sending an email where tlie sender does 
not wish to soky leBe <m the proceedures of the redieveis trnst autiior^ with 
public key ill = sxP. However, the send^ may trust another trust authority 
with public key % = s^P- The sender can obtaan the eflfecb of intersecting the 
two trust domains, Jf they have the same domain parameteia, by topty addmg 
the two public beys together to obtsun a public "key for a idrtual trust sutiioadty 

The associated user secret keys for the new virtual domain aie obtained by 
addlngs the two secret keys for two origbial domadus, La 

fiiD = Sgj + -Sg = («i + S2)QiD- 

Caearly sudx a tedmique not only applies to encryption techniques but can also 
be appUed to identity baaed dgnature techniques based on pairings, such as that 
of Hess- In such a signatuxe scenario it helps mitigate the problems assodated 
with key-^scxow and non-rapudlatkm. 
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A Review of Dent's CJonstruction 



In this sectioii we recap on some prior -work on classical KEM^b, in particnlax a 
construction of a secure KEM given a public key encryption alg^tbm which is 
secure in the sense of OW-C3PA [5]- 

We first torn our attention to probabilistic public key encryption sdiemes^ 
We formal^ define these as a triple of algorithms: 

— 0(D) which is a probabilistic gen^ation algarithm. On input of P, tlte do* 
main parameterSi this ^lg:cNdtlini outpuls a public/private key pair (pk, sk)« 

— f (tn,pk) wMch is a probabilistic public fc^ encryption algorithm. On input 
of a public key pk and a message m E M tins algorithm output a dlphertext 
c, ifc makes use of a random value drawn from a space 72. 

— 17(0, ak) winch is a decryption algoritlun* Tliis takes as input a dlphertext 
c and a private key sk and outputs the associated message m or a special 
symbol JL r^resenting the case where c is an invs£d opbeorteoct with reject 
to the private key ak. 

Sbr such a scheme to be useful we reqiure that it is sound in the foDowing sense» 
'Pr((i*,flk)+-e<D),rn^>t,c4---5(m,pk) :m= 2?(c,sk)) = 1. 

We also require that the sdbeme is trufy probabilistic in that thue proportion of 
*vahies of r, used as input into f (myplqr)^ tliat encrypt a given message to a 
g^ven ciph£9te3ct is negligible as a function of the secxmty parameter. 

We shall require the securily notion of OW-CSPA for public key schemes, 
winch we recap on now. We assume an adversary A, whidh takes a challenge 
ciphertext c* and a public key and \b asked to produce the assodsted plaintext. 
Tbe sdieme said to be OW-CPA secure if no adversary exists whicdi wins the 
foiliowing g^me with probaldlity gpceater than a negligible fimct k>n of the security 
parameter fc. • 

(pk,sk)^g(B)- 

m <— Ai- 

c* £:{m,pk). 

Output whether m m'- 

The adversary is not given access to any decryption orates, but is clearly allowed 
to enciypt arbitrary messages of its choice since it has access to pk. 

Dent [Sj proposes a KEM, derived from a OW-C3PA probabilistic public tey 
algorithm (Q^S^V)^ a hash foiurtion H with codomain 7t (the space of random- 
ness used hy algorithm £) and a key derivation function KDF with donoain Ai. 
Dent^s scheme is described as follows: 
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r J5r(m)- 
Output (jRT^C). 



If m «J. then output ± aad halt. 

Check that C = 5(m,pk;r), 

i£ not output X and halt. 

Output K. 



One then has the £o31owin£ zsesult, when one models the functions H and KDF 
as rasodom orac^lesy 

Theoirem 4 ODent [5]). If(G,e^7>) is a OW-CPA probabiUsHc public en- 
crgptton algorithm then in tfte rundom erode Ae KEM {QKJSMtSKJSMy'^KBM) 
derived Jhm (5,^,1?) «ectire va ihs sense oflND-CCAS. 



B Proof of Theorem 1 

Siace {Q, Sy7>) is IND-CX3A2 secure as a pubKc key encrTpldon algorithm it is 
secure in the inulti-user settmg d^cribed in [2]. 

We recap on the security model from [2]. The adversary is giv^ n public 
keys pkj^;- . • ,pl5;„ and is given aooKS to a left-right oracle Oz^r whidi on input 
of {{TOoi^wi}iI*fc} win output the encryption of mh uuder pk^ for some fixed 
hidden bit &• The adversary is gjven access to a decryption oracle Or> for all 
the public keys pk|, subject to the constraint it is not allowed to ask for the 
decryption of the result of a call to the lefb-rigjit oracle OxB- 

We ^m^^v^^ an adversary A against the noKEM (^KBMy^KBM^T^KBia) 
show^ hov7 0OB can use thte to produce an adversary B against (Q^SyV) in the 
above multirUBer setting. Hius we will d«ive a contradiction. 

Algoritihjn S takes as input the n public keys « {pk^L,. ..,pk„}. These 
are then passed into algarithm A^- We answer the decapsulatibn oracle queries 
of -4^ using the decryption provided to S in an obvious way, Le, on imput of 
(c3.,.-.,c„) with respect to some pubfic key pkg we execute 

m Oj>(ci,pk|)- 

If m sj. then output JL and halt. 

Output JST. 

Algorithm A^ eventually will terminate and will return a Est of public keys 
and a state s. 
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Algorithm B then computes two random messages mQ, rrix € and com- 
putes Ko = jRCDFO^io) and Kx = jR:i>F(mx)- Then usuag the leEb-right oractea 
it computes 



One then execute m4^((7*, {liCD»iiri}, The decapsulation oracle qneries of 
are answered as above on noting that any oracle query allowed in the game being 
played A? will be able to be answered by the oracle provided to B. 

Finally A? will respond with its guess &' as to the hidden bit we let this bit 
V be the output of B. If «4? answers correctly then algorithm B wiU also answer 
correctly, 

C PrcK>f of Theorem 2 

We let iQKSMi^KBMyll^icjBM) denote the ordinary KEM derived from the El- 
GamaL system via Dent's txan^orm for OW-OPA probabilistic public key algo- 
rithms. It is known, by Theorem 4, that in. the random oracle model the scheme 
{GKffM^SKJSM^^KBM) is securo in the IND-CCA2 sense assuming the Diffie- 
Hdhnan problem baid. 

^Wfe let (QntKJBM 5 SmjKSM , fmK^Af ) dcnote our mrKEM. We shall assume we 
have an ]IQ>-CCA2 adversary A against this scheme in the random oracle model 
wMch works against n public hsys. We ^all show how to nse A to create an 
adversary B against {Q§cBhd j Sksm^ T^kbm)'^ Since such an adversary is ^^snim^^ 
in the random oracle model, not to exist we can then conclude that A ooidd not 
eadst either. 

We first describe algorithm B^ddc). Let — pk denote the public key input 
into algorithm jB^. We first genemte some extra public keys via, ki -^W^ and 
pki = pk V^, for i = 2,3, • , ^,71- We now pass the set = {pk^, , , . ,pk„} into 
X^. We then obtaan a subset T> and a state S^* We shall discuss how to 

answer all decapsulation oracle queries of A^ later. We let s denote the state 

« = {(fc2,pk2), . • . , (fe-.,pk^),7>, s'} 

and return s as the output of B^(pk). 

Algorithm B^ takes as input two keys Ko and Kx^ the state information s and 
an encapsulation C7* of one of the k^ JBT^ € {Kq^ Kx} from the algorithm Skbm 
with r^^pect to the public k^ pk. We first need to create a valid encapsulation 

of the key Kh with respect to the algorithm SmKEM and the »t of keys 
7> ass {pk.^, . . - , pk^}. Wo have 

^=<c5.^)=C9%«pk-)> 
with Kb = KDF(m) and r === H(in), whereas 

C;;; = (cS , c^ . . , , c4 ) = (ff % m - pkT^ , . . . , m . plc^ ) . 



I 
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Betc5 = ^ and for j = 

where we let fci = 0» ^ r i ^ *«. .^T««n^iiiTi 

Having constructed C;;. we cam now pass C^^A^i^o.K^} and 

Bon-negliglble probabiHty a bit ^ such K^ = K^- Haace by ^f^^ 
bit A< output fr«m the ajgpxithm iB" we obtain an aJgoxithm B whi^ with 

non-negligibte probabiUty ^ break the security of the {9kbm,Skem.T^kbm} 

in the IND-CCA2 sense. ^ . i • 

AU that remains is to shov? how to answer the de«a««sulatiDtt ora^e qi^nes 
of algorfthm A, Recall we have a decapsolatioa orade Okbm 
Ta^^^ Eu^^ m*ioh wffl lespcmd with respect to the pk on all 

^IS; C S^S^eL not allow to query it with C = C;. The deca^-l*^ 
q^ries dlA must be answered correctly unless the query conesponds to the 
key 

Suppose we are ^en the, possiWy iuvaUd, ^psulation 
On = (CO, ci, . . . ,cm) - (3^. • »• ■ • * 

and we are asked to decapsulafce it with ieq>ecfc to the pubUc key pktj- This 
should result in the key if = liCl>F(m) if and only if r = H(m) and ri^^ 

We first Conn the encapsulation (eo, Ci) with re^^ect to the scheme KBM, via 
setting Co = Co and 

cx=c«j -<5o 

Note since we are not aUowed to query ^'s decapsulation orade with ajjy encap- 
sulation whidi corresponds to iiCi we nnist have m m- 

The orade O will not respond if co = « and d = . Such a situation woiM 
mean that O returns Kb, i.e- the encapsulalaDn <7„ is an encapsulation of 
mth respect to pkj^, and such a query Is invalid under the securUy model for 

We can, thwefore, assume that either cosfi^orcj^^^.In either case the 
oracle O wiD compute 



. p]^i . . Co** « TO 
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For the oracle O to letiiro K « Jri?l''(m') w moat have r = ir(m'). In which 
case (co,ei) is a (possibly badly formed) dphertext for the KBM which nevex- 
the-less passes the validity check and is a (possibly badly foimed) (^hertext 
for the mKEM which also passes the validity check of the mKEM. Benoe, As 
oracle should return iT, unless JiT = iif 6 in which case we have found a collision 
in KHF sonce 

Such a common will only occur with i»egligible probability shice KI>F ia modeHled 
as a random oracle. 

D Proof of Theorem 3 

First consider the scheme BasicPnb ficom {3], which we recap on. The gen- 
eration algorithm ia ^ven by 

Ppufr 4- sltP. 

The pnbUc key is given hy pic ^ {iVt.»> Qid} ^ *^ secret key. is g?ven by fifiD- 
Enciyption (17, V) *-^(m,pk) is givenby 

V m e J32(t(Pp«6,»-QlD))' 
Decryption in B^icPoib is given by 

Assoming the BDH assomptton holds for the set of domain parameters, Boneh 
and FVanklin show that this pubUc key scheme is secure in the OW-CPA mod^ 
Notice, that BasicPub is the same as Basicldent except that the idenlaly is 
now a random idmtity chosCTi at the time of generation of the public key. 

We let {.Qkem, Skbm, T>keja) denote the KEM derived from Basi cPnb using 
Dent's method. By Dent's Theorem, Theorem 4^ this KEM is secure in the sense 
of INIXJCA2. 

We let A denote an adversary, in the sense of (l,n>-ID-IND-CCA2, against 
oar JI? — m — KEM ^ven \s3 {^tD,-^KBM, SiD-mKBM,1>TD-mKBM)' We will 
construct an adversary B which breaks (jSKBM7£KBM,1>icEM) in the sei^ of 
IND-CCA2, this will give us our necessary contradictiQn. In our pio<rf we shall 
model the function as a random oracle. 

Algorithm takes as input a public key pk = {PptiAiQiD^- We let R, 
the trust authorities public bey, be ^tven by Pp^t. If algorithm A requixes the 
extraction of the secret key witJi respect to an identity TDi, or evaluation of 3x 
at IDi then we fix the oracEe calls of Hx so that 
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QiD,=^«i'=-^iC™i>- 

Notice that for all « we have jSid/ = skQiDi» ^^^^ '^ID/ ™^ valid secxet 
for the identities ID{. 
We generate a random identiiy ID axid define Hit bq tha* Qn) = jEri(ID). "We 
also generate a set of n idj^atities 

m such a wqy that for soine i € {li • - « « 
IDj — m 

We pass to the algorithm , answering it's decapsulation queries with respect 
to TDi for i = j via the decapsulation oradie of B and the other decapsnlatian 
queriK using the associated secret key^ At the end of algorithm «4^, since A is 
a (l,n)-ID-INI>CCA3 adveraary;, we obtein a single id^titgr Jjy plus the 
internal state <^>t^* 

If II/ ^ ID then algorithm halts and restarts. Sinoe j 6 {1, ... ,7^} is cho- 
sen out of the view of algoritlmi ^4''^ and the identities are chosen randomly, the 
probability that one obtains IE/ = ID from algoritlun is at least 1/tu Eveur 
tually, after at most pdynomiaDy mai^ trials, algorithm will then terminate 
by ontputing ite complete hitemal state 3. 

Ai^rithm is defined as follows- It is passed the internal state s of B^, two 
fcegw Ko and Kx plus an encapsulation C?* of one of these keys Kt under SecBMt 
for some hidden bit The encapsulation is defined hy 

where, for some random nonce 

Algprithm £P then tabes this as the diallei^e encapsnlatiion on the identity 
7> = {ID} tinder Cm-iD-KBB^^ Algorithm ^ is then passed the hitemal state of 
A^, the identity V = {ID}, the keys {Koi Ki} and the challenge O*. Algorithm 
A^ returns vniii its gaess as to the hidden bit 6. This bit is returned as the 
output of fi^. CSeajrly if is sucGessfdl then so is BK 

The decajJBulation and extraction quer^ of are handled as for y4^. It is ' 
gaur anteed by the security model for A^ that at no point will a disallowed oracle 
query to the oracle provided by B^ will be requested. 
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